Adobe Adopts Microsoft's Patch Tuesday Approach

Following a series of high-profile attacks that leveraged security vulnerabilities in its PDF Reader and Acrobat applications, Adobe Systems Inc. is making a major push to revamp its approach to security. The company said today that it plans to ship security updates more regularly and push out emergency updates more speedily, and that it will be continually stress-testing those products to find and close security holes before hackers can exploit them.

In announcing the changes, Adobe is borrowing several pages from Microsoft's security playbook. Redmond ships updates on the second Tuesday of each month and regularly fixes vulnerabilities that its in-house researchers have uncovered. Sometime this summer, Adobe will begin shipping patches on a quarterly basis -- on the second Tuesday of every third month.

Brad Arkin, Adobe's director for product security and privacy, said that day was picked to help lighten the load on businesses, most of which already are primed with staff and resources to test and apply Microsoft updates from Patch Tuesday.

"The feedback from customers is that getting any patches for Reader and Acrobat out at the same time as Microsoft allows them to leverage existing processes and resources to get desktops updated as quickly as possible," Arkin said.

In between quarterly updates, Adobe will work to quickly push out as-needed updates for any newly discovered security holes that hackers are actively exploiting in vulnerable systems, Arkin added. Also, before a fix is available, Adobe will try to issue guidance to help customers mitigate the threat from the flaw.

Adobe's Reader and Acrobat products are almost as widely deployed as Microsoft's Windows operating system: The company says more than 500 million copies of its free Reader software have been distributed. But that broad adoption has made it a key target of hackers looking for ways to break into systems and steal data. According to Finnish anti-virus firm F-Secure Corp., nearly half of all targeted attacks this year -- e-mails attachments designed to exploit software vulnerabilities on the recipient's computer -- targeted known security flaws in Adobe Acrobat and Reader (see graphic below).

In mid-February, security experts learned that hackers had for at least a month been exploiting unpatched security holes in Acrobat and Reader to launch targeted attacks. At the time, a number of security experts chastised the San Jose, Calif., software maker for taking more than three weeks to ship a patch to fix those flaws. More recently, Adobe managed to ship updates for a dangerous new vulnerability just two weeks after researchers first posted details of the flaws. That patch came this month on Patch Tuesday, the same day Microsoft issued its updates.

Martin Roesch, chief technology officer for Sourcefire, based network security provider in Columbia, Md., said Adobe's move was most likely informed by pressure from the U.S. government, which is among the most frequent objects of targeted e-mail attacks.

"You just can't leave large swaths of the Internet knowingly exposed to the Internet for a long time when hackers know about a vulnerability," Roesch said.

By timing its patches to coincide with Patch Tuesday, Adobe is hoping more users will update their products more quickly after security patches are released. The company declined to release figures on how many users have the latest versions of Reader and Acrobat installed, but software security vulnerability management company Secunia said in a recent report that at least one-quarter of Reader users did not have the latest versions of the software installed.

Robert "Rsnake" Hansen, a security expert at SecTheory, a company routinely hired to break into companies to help them test their security, praised Adobe's decision to follow Microsoft's path on security.

"Microsoft has a lot to offer in terms of how they deal with vulnerability management, and they have some of the most responsible and well thought through patch management processes on earth, so it's unsurprising that Adobe is looking to them for leadership here."

Adobe's Arkin said the company also has begun subjecting Acrobat and Reader to an ongoing series of security tests to tease out new vulnerabilities the company may have missed in developing the software.

Hansen said finding and fixing security holes before attackers can is the most important step Adobe will be taking. But it is also the one that will be toughest to maintain, he said.

"It's easy to start down that path, but it's a lot harder to continue that level of testing and attention over a long period of time like Microsoft has done," he said.

This is good news, long overdue! I'm tired of the predictable, nonstop stream of Acrobat and Flash vulnerabilities.

It takes more than just looking, testing, and monthly releases on Patch Tuesday to be successful at creating a secure product. Missing is the magic phrase 'Security Development Lifecycle' that Microsoft uses, which implies many subprocesses and a change in Management's priorities. And for example, will they be using ASLR (Address Space Layout Randomization) to build software, and make their flash plugins operate on systems with full DEP enabled without crashing?